b'                                                                         Semiannual\n                                                                         Report to Congress\n                                                                         October 1, 2012 to\n                                                                         March 31, 2013\n\n\n\n\n                                                             Office Of\n                                                             inspectOr General\n\n\n\n\n        Additional copies of this report may be obtained\n\n        by contacting the Office of Inspector General at\n\n        202.551.6061. This report is also available on the               U.S. SeCURITIeS And\n\n                                                                         exChAnGe COMMISSIOn\n        Inspector General\xe2\x80\x99s website at www.sec-oig.gov.\n\n\n\n\nOIG SAR cover_final.indd 1                                                                     5/2/13 3:51 PM\n\x0c\x0c                         Office Of inspectOr General\n\nSemiannual RepoRt to CongReSS\n                   O c tO b e r 1 , 2 01 2 \xe2\x80\x93 M a r c h 3 1 , 2 01 3\n\n\n\n\n T\n         he mission of the Office of Inspector General (OIG) is to promote the integrity,\n         efficiency, and effectiveness of the critical programs and operations of the United\n         States (U.S.) Securities and Exchange Commission (SEC or Commission). This\n mission is best achieved by having an effective, vigorous, and independent office of\n seasoned and talented professionals who perform the following functions:\n\n \xe2\x80\xa2\t   Conducting\tindependent\tand\tobjective\taudits,\tevaluations,\tinvestigations,\tand\tother\t\n      reviews of SEC programs and operations;\n \xe2\x80\xa2\t   Preventing\tand\tdetecting\tfraud,\twaste,\tabuse,\tand\tmismanagement\tin\tSEC\tprograms\t\n      and operations;\n \xe2\x80\xa2\t   Identifying\tvulnerabilities\tin\tSEC\tsystems\tand\toperations\tand\trecommending\t\n      constructive solutions;\n \xe2\x80\xa2\t   Offering\texpert\tassistance\tto\timprove\tSEC\tprograms\tand\toperations;\n \xe2\x80\xa2\t   Communicating\ttimely\tand\tuseful\tinformation\tthat\tfacilitates\tmanagement\tdecision\t\n      making and the achievement of measurable gains; and\n \xe2\x80\xa2\t   Keeping\tthe\tCommission\tand\tCongress\tfully\tand\tcurrently\tinformed\tof\tsignificant\t\n      issues and developments.\n\n\n\n\n                                                    OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013             |   i\n\x0c\x0c                                  ContentS\n\n\n\nMessaGe frOM the inspectOr General . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\n\n\nManaGeMent and adMinistratiOn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\n\nAgency Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\n\nOIG Staffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\n\n\n\ncOnGressiOnal testiMOnY, requests, and briefinGs . . . . . . . . . . . . . . . . . 4\n\n\n\nadvice and assistance prOvided tO the aGencY. . . . . . . . . . . . . . . . . . . . 5\n\nEmployee\tSuggestion\tProgram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5\n\nOIG Outreach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5\n\n\n\ncOOrdinatiOn with Other Offices Of inspectOr General . . . . . . . . . . . . . 6\n\n\n\naudits and evaluatiOns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7\n\nOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .    .   .   .   .   .   .   .   .   .   .   . 7\n\n   Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .   .   .   .   .   .   .   .   .   .   .   . 7\n\n   Evaluations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .    .   .   .   .   .   .   .   .   .   .   . 7\n\nAudits and Evaluations Conducted . . . . . . . . . . . . . . . . . . . . . .      .   .   .   .   .   .   .   .   .   .   . 7\n\n   SEC\xe2\x80\x99s Controls Over Sensitive/Nonpublic Information Collected and\n\n        Exchanged with the Financial Stability Oversight Council and\n\n        Office of Financial Research (Report No. 509) . . . . . . . . . .         . . . . . . . . . . . 7\n\n   Evaluation of the SEC\xe2\x80\x99s Whistleblower Program (Report No. 511) . .             . . . . . . . . . . . 8\n\n    2012 Federal Information Security Management Act (FISMA)\n\n        Executive Summary Report (Report No. 512) . . . . . . . . . . . . . . . . . . . . . . 9\n\n    Audit of SEC\xe2\x80\x99s Controls over Support Service, Expert, and\n\n        Consulting Service Contracts (Report No. 513) . . . . . . . . . . . . . . . . . . . . . 9\n\n    Audit of the SEC\xe2\x80\x99s Filing Fees Program (Report No. 514) . . . . . . . . . . . . . . . . . 10\n\n    Review of the SEC\xe2\x80\x99s Systems Certification and Accreditation\n\n        Process (Report No. 515) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10\n\n    Inspector General\xe2\x80\x99s Report of the U.S. Securities and Exchange\n\n        Commission\xe2\x80\x99s Fiscal Year 2012 Compliance with the Improper\n\n        Payments Elimination and Recovery Act . . . . . . . . . . . . . . . . . . . . . . . . 11\n\n\n\n\n\n                                                      OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                                             |   iii\n\x0c      Pending\tAudits\tand\tEvaluations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11\n          Hiring Practices for Senior Level Positions at the SEC . . . . . . . . . . . . . . . . . . . 11\n          The SEC Rulemaking Procedures and Current Guidance on\n              Economic Analysis in Rulemakings . . . . . . . . . . . . . . . . . . . . . . . . . . . 12\n          Government Purchase Card and Convenience Check Operations and\n             Practices at the SEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12\n\n      investiGatiOns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13\n      Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                         . . . . . 13\n      Investigations and Inquiries Conducted . . . . . . . . . . . . . . . . . . . . . . . .                           . . . . . 13\n          Follow-up Investigation Relating to Forensic Analysis of\n               Division of Trading and Markets Laptops (Report No. OIG-577) . . . . .                                  . . . . . 13\n          Allegations of Potential Stalking, Harassment, and Inappropriate\n               Touching (Report No. OIG-579) . . . . . . . . . . . . . . . . . . . . . .                               . . . . . 14\n          Alleged Misuse of Federal Government Resources, Failure to Protect\n               Sensitive Government Information, and Circumvention of Information\n               Technology Procedures (Report No. OIG-580) . . . . . . . . . . . . . . .                                . . . . . 14\n          Alleged Violations of Federal Travel Regulation by Employee Participating in a\n               Long-Distance Telework Arrangement (Report No. OIG-584) . . . . . .                                     .   .   .   .   . 15\n          Allegation of Improper Promotion (PI 11-38). . . . . . . . . . . . . . . . . . .                             .   .   .   .   . 15\n          Time and Attendance Violations in SEC Regional Office (PI 11-40) . . . . . . .                               .   .   .   .   . 16\n          Allegations of Procurement Violations (PI 12-11) . . . . . . . . . . . . . . . . .                           .   .   .   .   . 16\n          Complaints of Waste, Mismanagement, and Conflicts of Interest in a\n               Division of Enforcement Computer Lab (PI 12-20) . . . . . . . . . . . . .                               . . . . . 16\n\n\n      review Of leGislatiOn and reGulatiOns. . . . . . . . . . . . . . . . . . . . . . . . 17\n\n\n      ManaGeMent decisiOns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18\n      Status of Recommendations with No Management Decisions .         .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   . 18\n      Revised Management Decisions . . . . . . . . . . . . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   . 18\n      Agreement with Significant Management Decisions . . . . . .      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   . 18\n      Instances Where Information was Refused . . . . . . . . . . .    .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   . 18\n\n\n\n\niv   |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0ctables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19\n\nTable 1 List of Reports: Audits and Evaluations. . . . . . . . . . . . .     . . . . . . . . . . . . 19\n\nTable\t2\t\t Reports\tIssued\twith\tCosts\tQuestioned\tor\tFunds\tPut\tto\t\n             Better Use (Including Disallowed Costs) . . . . . . . . . .     . . . . . . . . . . . . 19\n\nTable 3 Reports with Recommendations on Which Corrective Action\n\n             Has Not Been Completed. . . . . . . . . . . . . . . . . .       . . . . . . . . . . . . 20\n\nTable 4 Summary of Investigative Activity . . . . . . . . . . . . . . . .    . . . . . . . . . . . . 25\n\nTable 5 Summary of Complaint Activity. . . . . . . . . . . . . . . . .       . . . . . . . . . . . . 26\n\nTable 6 References to Reporting Requirements of the\n\n             Inspector General Act . . . . . . . . . . . . . . . . . . . .   . . . . . . . . . . . . 27\n\n\n\nappendix a. peer reviews Of OiG OperatiOns . . . . . . . . . . . . . . . . . . . . . 29\n\nPeer\tReview\tof\tthe\tSEC\tOIG\xe2\x80\x99s\tAudit\tOperations\t . . . . . . . . . . . . . . . . . . . . . . . . 29\n\nPeer\tReview\tof\tthe\tSEC\tOIG\xe2\x80\x99s\tInvestigative\tOperations . . . . . . . . . . . . . . . . . . . . . 29\n\n\n\n\n\n                                                      OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                       |   v\n\x0cmeSSage\n\x0cfRom the inSpeCtoR geneRal\n\n\n                                    I\n                                          am pleased to present this Semiannual Report to\n                                          Congress as Inspector General (IG) of the U.S. Securities\n                                          and Exchange Commission (SEC or Commission).\n                                    This report describes the work of the SEC Office of Inspector\n                                    General (OIG) for the period from October 1, 2012, to\n                                    March 31, 2013. It also reflects our dual responsibility to\n                                    report independently to both the Commission and Congress.\n     The audits, reviews, and investigations described illustrate OIG efforts to promote the\n     efficiency and effectiveness of the SEC.\n\n     As an initial matter, I would like to take this oppor\xc2\xad   Consequently, OIG capabilities and effectiveness\n     tunity to thank the Honorable Jon T. Rymer for his       have been reduced. As a result, one of my top\n     dedicated service to the OIG and the Commission.         priorities for the upcoming year is to increase the\n     He is the Inspector General for the Federal Deposit      OIG\xe2\x80\x99s\tcapabilities\tby\trebuilding\tthe\tOIG.\tI\tam\t\n     Insurance Corporation and from May 30, 2012,             working closely with the SEC Office of Human\n     until January 31, 2013, concurrently served as the       Resources (OHR) to fill the leadership and critical\n     SEC Interim IG. The OIG is grateful for his leader\xc2\xad      positions as quickly as possible. After the OIG lead\xc2\xad\n     ship and guidance during a time of transition.           ership team is in place, we will methodically review\n                                                              our business processes and retool as necessary to\n     On February 11, 2013, I began my tenure as the           make the OIG a more effective, responsive entity.\n     SEC IG, leading an office with talented staff fac\xc2\xad\n     ing significant challenges. The OIG has operated         Notwithstanding the challenges faced by the OIG\n     without a permanent leader for more than a year          during this semiannual reporting period, the OIG\n     and without the key senior leadership positions of       staff is committed to promoting the efficiency and\n     Deputy IG and Assistant IG for Investigations for        effectiveness\tof\tthe\tSEC\xe2\x80\x99s\tprograms\tand\toperations.\t\n     several months. Additionally, the office lacked          During the reporting period, the OIG Office of\n     necessary audit and investigative staffing levels.       Audits issued seven reports, including a statutorily-\n\n\n                                                              OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                  |   1\n\x0cmandated\tevaluation\tof\tthe\tSEC\xe2\x80\x99s\twhistleblower\t         In\tclosing,\tthe\tOIG\xe2\x80\x99s\tmission\tis\tto\tpromote\tthe\t\nprogram;\tan\taudit\ton\tthe\tSEC\xe2\x80\x99s\tcontrols\tover\t           integrity, efficiency, and effectiveness of SEC pro\xc2\xad\nsupport service, expert, and consulting service         grams and operations, and to report our findings\ncontracts;\tand\tan\taudit\tof\tthe\tSEC\xe2\x80\x99s\tfiling\tfees\t       and recommendations to the agency and Congress.\nprogram. Further, during the reporting period, the      The OIG will improve its efficiency and effec\xc2\xad\nOffice of Audits worked with SEC management             tiveness through organizational and procedural\nto close 47 recommendations arising out of OIG          changes and by growing our staff resources. We\nreports. In the upcoming reporting period, the          will also work collaboratively with the SEC man\xc2\xad\nOffice of Audits will issue two reports requested by    agement without yielding independence to assist\nCongress related to the economic analyses per\xc2\xad          the agency in addressing the challenges it faces in its\nformed by the SEC in its rulemaking processes.          unique and important mission to protect investors,\n                                                        maintain fair, orderly, and efficient markets, and\nThe OIG Office of Investigations completed 5            facilitate capital formation.\ninvestigations and 29 inquiries during the reporting\nperiod, including the forensic analysis of certain      I appreciate the significant support the Office has\nDivision of Trading and Markets laptops and an          received from Congress and the Commission.\ninquiry into allegations of procurement violations.     We look forward to working closely with the\nOur investigative reports and memoranda resulted        SEC Chairman, Commissioners, employees, and\nin one referral to the agency for consideration of      Congress to increase efficiency and effectiveness\nappropriate administrative action, three referrals to   in SEC programs and operations.\nthe OIG Office of Audits for consideration of audit\nfollow-up work, and specific recommendations for\nimprovement in agency policies and procedures.\n\n                                                                                Carl W. Hoecker\n                                                                                Inspector General\n\n\n\n\n2   |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0c                            management and\n\n                             adminiStRation\n\n\naGencY Overview                                           tion\tCorporation\t(SIPC).\tWhile\tabout\t2,000\tsmaller\t\n\n\n\nT\n         he\tSEC\xe2\x80\x99s\tmission\tis\tto\tprotect\tinvestors;\t       investment advisers transitioned to state regulation\n         maintain fair, orderly, and efficient markets;   under the Dodd-Frank Wall Street Reform and\n         and facilitate capital formation. The SEC        Consumer\tProtection\tAct\t(Dodd-Frank\tAct),\tthe\t\nstrives to promote a market environment that is           SEC has gained responsibility for directly overseeing\nworthy\tof\tthe\tpublic\xe2\x80\x99s\ttrust\tand\tcharacterized\tby\t        approximately 1,500 larger private fund advisers,\ntransparency and integrity. Its core values consist of    including hedge fund advisers.\nintegrity, accountability, effectiveness, teamwork,\nfairness,\tand\tcommitment\tto\texcellence.\tThe\tSEC\xe2\x80\x99s\t        In order to accomplish its mission, the SEC is orga\xc2\xad\ngoals are to foster and enforce compliance with the       nized into 5 main divisions (Corporation Finance;\nfederal securities laws; establish an effective regula\xc2\xad   Enforcement; Investment Management; Trading and\ntory environment; facilitate access to the information    Markets; and Risk, Strategy, and Financial Innova\xc2\xad\ninvestors need to make informed investment deci\xc2\xad          tion)\tand\t23\tfunctional\toffices.\tThe\tCommission\xe2\x80\x99s\t\nsions;\tand\tenhance\tthe\tCommission\xe2\x80\x99s\tperformance\t          headquarters is in Washington, D.C., and there are\nthrough effective alignment and management of             11 regional offices located throughout the country.\nhuman resources, information, and financial capital.      As of September 30, 2012, the SEC employed 3,792\n                                                          full-time equivalents (FTE), consisting of 3,752\nSEC staff monitor and regulate a securities industry      permanent and 40 temporary FTEs.\ncomprising more than 35,000 registrants, includ\xc2\xad\ning approximately 9,500 public companies, 11,800          OiG staffinG\ninvestment advisers, approximately 4,200 mutual           On February 11, 2013, Carl W. Hoecker was sworn\nfunds, and about 5,400 broker-dealers, as well as         in as the SEC IG. From May 30, 2012, until January\nnational securities exchanges and self-regulatory         31, 2013, Jon T. Rymer served as the Interim IG.\norganizations (SRO), 450 transfer agents, 17\nnational securities exchanges, 9 registered clearing      Two senior leadership positions of Deputy IG and\nagencies, and 9 credit rating agencies. Additionally,     Assistant IG for Investigations have not been filled.\nthe\tagency\thas\toversight\tresponsibility\tfor\tthe\tPublic\t   Additionally, the office lacks necessary audit and\nCompany\tAccounting\tOversight\tBoard\t(PCAOB),\t              investigative staffing levels. Although the OIG\nthe Financial Industry Regulatory Authority               hired two supervisory auditors during the reporting\n(FINRA), the Municipal Securities Rulemaking              period, filling the leadership and other vacancies are\nBoard\t(MSRB),\tand\tthe\tSecurities\tInvestor\tProtec\xc2\xad         a priority for the OIG.\n\n\n                                                           OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                    |     3\n\x0c             CongReSSional teStimonY,\n\n              ReQueStS, and BRiefingS\n\n\n\nT\n       he OIG continued to keep Congress fully          On March 12, 2013, the IG testified in an oversight\n       and currently informed of OIG investi\xc2\xad           hearing before the U.S. House of Representatives\n       gations, audits, and other activities through    Subcommittee on Financial Services and General\ntestimony, reports, meetings, and telephonic com\xc2\xad       Government, Committee on Appropriations, with\nmunications. OIG staff briefed and had discussions      respect\tto\tthe\tOIG\xe2\x80\x99s\tbudget\tand\tother\tmatters\tof\t\nwith Members of Congress and Congressional staff        subcommittee concern.\nconcerning OIG work and issues impacting the SEC\nthroughout the semiannual reporting period.             On March 29, 2013, the OIG responded to a\n                                                        February 25, 2013, Congressional request for\nOn January 22, 2013, the OIG responded to a             information\trelating\tto\tthe\tSEC\xe2\x80\x99s\tclimate\tchange\t\nDecember 5, 2012, request from the U.S. House           initiatives.\tThe\tOIG\tdescribed\tthe\tSEC\xe2\x80\x99s\tauthorities\t\nof Representatives Committee on Oversight and           to\tgovern\tpublic\tcompanies\xe2\x80\x99\tdisclosures,\tincluding\t\nGovernment Reform for information about the             those related to the effects of climate change and\nOIG\xe2\x80\x99s\thighest\tpriority\trecommendations\tfor\treduc\xc2\xad       noting that the laws and rules that govern the U.S.\ning waste and increasing efficiency. In the response,   securities industry are written to ensure that all\nthe OIG noted that the SEC has very few open and        investors\xe2\x80\x93\xe2\x80\x93whether large institutions or private indi\xc2\xad\nunimplemented recommendations that carry over           viduals\xe2\x80\x93\xe2\x80\x93have access to the proper assortment of\nfrom year to year. We noted that the Commission\xc2\xad        facts about an investment prior to buying it and for\ners, the SEC management, and the OIG continue a         the duration that the investment is held. The OIG\nshared desire to improve SEC programs, operations,      also\thighlighted\tthe\tSEC\xe2\x80\x99s\trequirements\tthat\tpublic\t\nand working relationships.                              companies disclose meaningful financial and other\n                                                        material information to the public, including those\n                                                        relating to the effects of climate change.\n\n\n\n\n4   |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0c                 adviCe and aSSiStanCe\n\n                pRovided to the agenCY\n\n\n\nT\n       he OIG provided advice and assistance           Another suggestion related to providing informa\xc2\xad\n       to SEC management on issues that were           tion to new employees. Specifically, the employee\n       brought\tto\tthe\tOIG\xe2\x80\x99s\tattention\tthrough\tvari\xc2\xad    suggested that the SEC provide new employees with\nous means. This advice and assistance was conveyed     a guidebook to the acronyms used at the agency.\nthrough written communications, as well as in          The OIG discussed this suggestion with OHR and\nmeetings and conversations with agency officials.      SEC University representatives. In response, the SEC\n                                                       indicated that it would include a list of acronyms in\neMplOYee suGGestiOn prOGraM                            its new employee guide.\nDuring this six-month reporting period, the OIG\nreceived nine suggestions and four allegations         OiG Outreach\nthrough\tthe\tEmployee\tSuggestion\tProgram.\tIn\tone\t       The IG regularly met with the Chairman, Commis\xc2\xad\ninstance, an employee suggested that the default       sioners, and SEC division and office senior officers\nsettings on all SEC computers should be set to two-    to foster open communications at all levels between\nsided printing and that employees should have to       the OIG and the agency. This effort will ensure that\nmanually select one-sided printing when necessary.     the OIG is kept up to date on significant matters\nThe employee stated that this would result in SEC      relevant to OIG work. This regular communication\ncost savings and be environmentally friendly. The      will also allow OIG and agency management to\nOIG recommended that the SEC alert employees           work cooperatively in identifying the most impor\xc2\xad\nthat double-sided printing is available and provide    tant areas for OIG work, as well as the best means\ngeneral instructions for those who wish to make        of addressing the results of that work.\ndouble-sided printing their default setting. The SEC\nresponded, indicating that it preferred to leave the   On March 20, 2013, the IG participated in an SEC\ndecision of whether to print double-sided or single-   Town Hall meeting which all SEC employees were\nsided up to individual staff members. However,         invited to attend in person or via teleconference. At\nrecognizing the potential for cost savings and the     this meeting, the IG explained the role of the OIG,\nfavorable environmental impact of reducing paper       including its audit and investigatory functions. The\nusage, the SEC issued instructions for selecting       IG also responded to questions from the SEC staff\ndouble-sided printing.                                 concerning OIG issues.\n\n\n\n\n                                                        OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                   |     5\n\x0c         CooRdination With otheR\n\n        offiCeS of inSpeCtoR geneRal\n\n\n\nD\n          uring this reporting period, the OIG             investigations and criminal investigations person\xc2\xad\n          coordinated its activities with those of         nel, and establish criminal investigative guidelines.\n          other OIGs, as required by Section 4(a)(4)       For example, the Investigations Committee assisted\nof the Inspector General Act of 1978, as amended.          the CIGIE Information Technology Committee in\nSpecifically, the OIG participated in the meetings         developing Quality Standards for Digital Forensics\nand activities of the Council of Inspectors General        to provide a framework for performing high-quality\non Financial Oversight (CIGFO), which was created          digital forensics. CIGIE issued these standards on\nby Section 989E of the Dodd-Frank Act. CIGFO               November 20, 2012.\nis chaired by the IG of the Department of Treasury\nand is also comprised of the Inspectors General of         The OIG also contributed information to a CIGIE\nthe Board of Governors of the Federal Reserve Sys\xc2\xad         report summarizing compliance by Inspectors\ntem, the Commodity Futures Trading Commission,             General\twith\tthe\tImproper\tPayments\tElimination\t\nthe Department of Housing and Urban Develop\xc2\xad               and Recovery Act of 2010. In addition, the OIG\nment, the Federal Deposit Insurance Corporation,           responded to numerous CIGIE surveys during the\nthe Federal Housing Finance Agency, the National           reporting period, including surveys related to suspen\xc2\xad\nCredit Union Administration, the Special Inspec\xc2\xad           sion and debarment, annual statistical data, and the\ntor\tGeneral\tfor\tthe\tTroubled\tAsset\tRelief\tProgram,\t        redesigned\tCIGIE\xe2\x80\x99s\twebsite.\t\nand the SEC. Under the Dodd-Frank Act, CIGFO\nis required to meet at least quarterly to facilitate the   Moreover, the Counsel to the IG participated in the\nsharing of information with a focus on the concerns        activities of the Council of Counsels to the Inspectors\nthat may apply to the broader financial sector and         General, an informal organization of OIG attor\xc2\xad\nways to improve financial oversight.                       neys throughout the federal government who meet\n                                                           monthly and coordinate and share information.\nIn addition, the IG attended meetings of the Council\nof the Inspectors General on Integrity and Efficiency      Finally, the OIG Office of Audits provided support\n(CIGIE) and served as the Chairman of the CIGIE            to the U.S. Commodity Futures Trading Commis\xc2\xad\nInvestigations Committee. The mission of the               sion (CFTC) OIG by participating in a technical\nInvestigations Committee is to advise the Inspector        evaluation panel that was convened to select a con\xc2\xad\nGeneral community on issues involving criminal             tractor to conduct an upcoming CFTC evaluation.\n\n\n\n\n6   |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0c                                    auditS and\n\n                                   evaluationS\n\n\nOverview                                                 evaluations\n\n\nT\n         he OIG is required by the Inspector General     The Office of Audits also conducts evaluations\n         Act of 1978, as amended, to conduct audits      of SEC programs and activities. Evaluations are\n         and evaluations of agency programs, opera\xc2\xad      generally\tconducted\twhen\ta\tproject\xe2\x80\x99s\tobjectives\tare\t\ntions, and activities. The Office of Audits focuses      based on specialty or highly technical areas, criteria\nits efforts on conducting independent audits and         or data are not firm, or the information must be\nevaluations\tof\tSEC\xe2\x80\x99s\tprograms,\toperations\tand\tfunc\xc2\xad      reported in a short period of time. Evaluations are\ntions. The Office of Audits also hires independent       conducted in accordance with OIG policy and\ncontractors\tand\tsubject\tmatter\texperts\tto\tconduct\t       governing CIGIE guidance.\nwork on its behalf.\n\nEach year, the Office of Audits prepares an annual       audits and evaluatiOns\naudit plan. The plan includes work that is selected      cOnducted\nfor audit or evaluation based on risk and materiality,\nknown or perceived vulnerabilities and inefficiencies,   sec\xe2\x80\x99s controls Over sensitive/nonpublic\nresource availability, and information received from     information collected and exchanged\nCongress, internal SEC staff, the U.S. Government        with the financial stability Oversight\nAccountability Office, and the public.                   council and Office of financial research\n                                                         (report no. 509)\naudits                                                   The OIG conducted an audit to follow up on SEC\nAudits examine operations and financial trans\xc2\xad           deficiencies identified in the June 22, 2012, CIGFO\nactions to ensure proper management practices            report entitled, Audit of the Financial Stability\nare being followed and resources are adequately          Oversight Council\xe2\x80\x99s Controls over Non-public\nprotected in accordance with governing laws and          Information. Specifically, the OIG examined the\nregulations. Auditors collect, analyze, and verify       controls and protocols the SEC employs to ensure\ndata by gathering documentation, conducting              that sensitive and nonpublic information collected\ninterviews, and through physical inspections. The        and exchanged with the Financial Stability Oversight\nOffice of Audits conducts audits in accordance with      Council (FSOC), its member agencies, and the Office\nthe Government Auditing Standards issued by the          of Financial Research (OFR) is properly safeguarded\nComptroller General of the United States, OIG            from unauthorized disclosure. The scope of the audit\npolicy, and CIGIE guidance.                              did not include an inquiry into whether there was\n\n\n                                                          OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                   |   7\n\x0cany unauthorized disclosure of confidential infor\xc2\xad      The\tOIG\tfound\tthat\tSEC\xe2\x80\x99s\twhistleblower\tprogram\t\nmation. The audit found that SEC employees and          was clearly defined and user-friendly for individuals\ncontractors who access the SEC e-mail system using      with a basic knowledge of the securities laws, rules,\nOutlook Web Access are not restricted from saving       and regulations. Further, the SEC Office of Whistle\xc2\xad\nand uploading sensitive or nonpublic information        blower\xe2\x80\x99s\toutreach\tefforts\thad\tbeen\tstrong\tand\tinfor\xc2\xad\non non-SEC computers. Consequently, sensitive or        mation about the whistleblower program was easily\nnonpublic information could potentially be disclosed    located on the Internet. The OIG also found the SEC\nto unauthorized persons.                                generally was prompt in responding to information\n                                                        provided by whistleblowers and applications for\nThe audit also found that the SEC has not appointed     whistleblower awards, as well as in communicating\nprimary information owners to oversee information       with interested parties. However, the whistleblower\nreceived and shared with FSOC, its member agen\xc2\xad         program\xe2\x80\x99s\tinternal\tcontrols\tneeded\tto\tbe\tstrength\xc2\xad\ncies, or OFR. In addition, a protocol for inventory\xc2\xad    ened by adding performance metrics.\ning documents and ensuring they are appropriately\nmarked has not been fully developed. As a result,       The\taward\tlevels\tfor\tthe\tSEC\xe2\x80\x99s\twhistleblower\tpro\xc2\xad\nthe SEC may be unable to readily identify informa\xc2\xad      gram were comparable to the award levels of other\ntion owners and ensure documents are tracked and        federal government whistleblower programs and\nmarked appropriately. Finally, the audit found that     ranged from 10 to 30 percent of the monetary sanc\xc2\xad\nthe SEC contractors received network user accounts      tions\tcollected.\tThe\tOIG\tdetermined\tthat\tthe\tSEC\xe2\x80\x99s\t\nand have 30 days thereafter to complete the required    award levels are reasonable and should not change\nonline security awareness training. Thus, contractors   at this time.\ncould unintentionally mishandle or disclose sensitive\nor nonpublic SEC information.                           Further, the OIG found the funding mechanism for\n                                                        the\tInvestor\tProtection\tFund\testablished\tby\tSection\t\nThe OIG issued the final report on March 25, 2013,      922 of the Dodd-Frank Act was adequate. However,\nand made five recommendations that are intended to      the OIG determined it was premature to introduce a\nstrengthen\tthe\tSEC\xe2\x80\x99s\tprotection\tof\tsensitive/non-       private\tright\tof\taction\tinto\tthe\tSEC\xe2\x80\x99s\twhistleblower\t\npublic information that is collected and exchanged      program because it had only been in place since\nwith FSOC and OFR. SEC management agreed                August 2011. Finally, the OIG found the Freedom\nto fully implement all of the recommendations.          of Information Act exemption added by the Dodd-\nThis\treport\tis\tavailable\ton\tthe\tOIG\xe2\x80\x99s\twebsite\tat:\t      Frank Act encourages whistleblowers to disclose\nhttp://www.sec-oig.gov\t/Reports/Audits-                 information to the SEC by providing an additional\nInspections/2013/509.pdf.\t                              safeguard for whistleblower confidentiality. This\n                                                        exemption\thad\tno\tsignificant\timpact\ton\tthe\tpublic\xe2\x80\x99s\t\nevaluation of the sec\xe2\x80\x99s whistleblower                   ability\tto\taccess\tinformation\tregarding\tthe\tSEC\xe2\x80\x99s\t\nprogram (report no. 511)                                regulation and enforcement of the federal securities\nSection 922 of the Dodd-Frank Act required the          laws.\nOIG to conduct a review of the whistleblower\nprotections added by that section and to report its     The OIG issued the final report on January 18,\nfindings no later than 30 months after the Dodd-        2013, and made two recommendations intended\nFrank\tAct\xe2\x80\x99s\tenactment\tto\tthe\tU.S.\tSenate\tCommit\xc2\xad        to strengthen the whistleblower complaint process.\ntee on Banking, Housing, and Urban Affairs and          Management agreed to fully implement the recom\xc2\xad\nthe U.S. House of Representatives Committee on          mendations.\tThis\treport\tis\tavailable\ton\tthe\tOIG\xe2\x80\x99s\t\nFinancial Services.\n\n\n\n\n8   |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0cwebsite\tat:\thttp://www.sec-oig.gov/Reports/Audits\t      audit of sec\xe2\x80\x99s controls over support service,\nInspections/2013/511.pdf.                               expert, and consulting service contracts\n                                                        (report no. 513)\n2012 federal information security                       The OIG contracted with Castro & Company, LLC\nManagement act (fisMa) executive                        (Castro)\tto\tconduct\tan\taudit\tof\tthe\tSEC\xe2\x80\x99s\tsupport\t\nsummary report (report no. 512)                         service, expert, and consulting service contracts and\nThe OIG contracted the services of Networking           identify potential areas for improvement.\nInstitute of Technology, Inc. to conduct the fiscal\nyear\t2012\tFISMA\tassessment\tof\tthe\tSEC\xe2\x80\x99s\tsecurity\t       The\taudit\xe2\x80\x99s\toverall\tobjective\twas\tto\tdetermine\t\nrequirements.\tThe\toverall\tobjective\tof\tthis\tproject\t    whether\tthe\tSEC\xe2\x80\x99s\tOffice\tof\tAcquisitions\t(OA),\t\nwas\tto\tassess\tthe\tSEC\xe2\x80\x99s\tsystems\tand\tincorporate\tthe\t    when awarding support service, expert, and consult\xc2\xad\nresult\tof\tthe\tassessment\tinto\tthe\tOIG\xe2\x80\x99s\tcontribution\t   ing service contracts, complied with governing laws\nto\tthe\tSEC\xe2\x80\x99s\tfiscal\tyear\t2012\tFISMA\treport\tto\tOMB.\t     and regulations regarding personal services contracts\nIn addition, the contractor independently evalu\xc2\xad        (PSC)\tand\tinherently\tgovernmental\tfunctions\t(IGF).\t\nated how SEC implemented the following security\nrequirements: systems inventory and the quality of      Castro found that prior to November 15, 2012,\nthe inventory, enterprise security architecture, data   OA did not have any written policy related to the\nand boundary protection, and network security pro\xc2\xad      management and administration of service contracts.\ntocols. The findings of the assessment included those   Further, OA did not have controls at that time that\nsummarized below.                                       would prevent contracting personnel or SEC staff\n                                                        from forming employer-employee relationships and\nOIT did not fully conduct and document continuous       entering\tinto\tPSCs.\tThe\taudit\tidentified\ta\tnumber\t\nmonitoring and had not defined baseline configura\xc2\xad      of\tcontrol\tdeficiencies\tconcerning\tthe\tSEC\xe2\x80\x99s\tcontrols\t\ntions or conducted configuration compliance scan\xc2\xad       over support service and consulting contracts. The\nning for all devices. Further, OIT neither addressed    audit also determined that OA did not take adequate\nthe requirements needed for a comprehensive gover\xc2\xad      measures in developing contract language for specific\nnance structure and overall organizational security     contracts\tto\tdescribe\tthe\tcontractors\xe2\x80\x99\tjob\tduties\tand\t\nrisk management, nor addressed risk from a mission      responsibilities.\nand business process perspective. Moreover, OIT\ndid not disable the network accounts for all users      Further,\tthe\taudit\tfound\tOA\xe2\x80\x99s\tnewly\tissued\tguidance\t\nwho no longer required access and could improve         and operating procedures should be strengthened\nits process for documenting the interfaces between      to better ensure SEC personnel are trained and are\nthe\tcontractor/external\tsystems\tand\tSEC-operated\t       provided guidance regarding their responsibilities to\nsystems in its system inventory.                        administer and manage contractors.\n\nThe OIG issued the final report on March 29, 2013,      The OIG issued the final report on March 29,\nand made six repeat recommendations and five new        2013, and made seven recommendations intended\nrecommendations\tto\tstrengthen\tthe\tSEC\xe2\x80\x99s\tcontrols\t       to\tstrengthen\tOA\xe2\x80\x99s\tcontrols\tover\tsupport\tservice,\t\nover information security. Management agreed to         expert, and consulting service contracts. OA agreed\nimplement all of the recommendations. This report       to\tfully\timplement\tall\tthe\treport\xe2\x80\x99s\trecommendations.\t\nis\tavailable\ton\tthe\tOIG\xe2\x80\x99s\twebsite\tat:\thttp://www.sec-   This\treport\tis\tavailable\ton\tthe\tOIG\xe2\x80\x99s\twebsite\tat:\t\noig.gov/Reports/Audits\tInspections/2013/512.pdf.        http://www.sec-oig.gov/Reports/Audits-\n                                                        Inspections/2013/513.pdf.\n\n\n\n\n                                                         OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                   |   9\n\x0caudit of the sec\xe2\x80\x99s filing fees program                       istrant refunds. Furthermore, the audit determined\n(report no. 514)                                             an analysis of older filing fee registrant transactions\nThe\tOIG\tcontracted\twith\tWilliams\tAdley-DC,\tLLP,\t             needs to be completed to ensure revenue is properly\nan independent public accounting firm, to conduct            recognized in OFM financial reports. OFM has\nan\taudit\tof\tthe\tSEC\xe2\x80\x99s\trefund\trequest\tprocesses\tand\t          begun reviewing non-dormant registrant accounts,\nmanagement of dormant accounts. The overall audit            based on the expected costs and benefits for each\nobjectives\twere\tto\tdetermine\twhether:\t(1)\tthe\tOffice\t        account.\tHowever,\tOFM\xe2\x80\x99s\treview\tof\tnon-dormant\t\nof Financial Management (OFM) had developed                  registrant accounts has not been fully completed.\nwritten policies and standard operating procedures\ncovering oversight of the filing fees program; (2)           The OIG issued the final report on March 29,\nfiling fees staff are adequately trained and have the        2013, and made four recommendations intended to\nrequisite skills needed to carry out their duties and        strengthen\tOFM\xe2\x80\x99s\tinternal\tcontrol\tover\tfiling\tfees\t\nresponsibilities; (3) the EDGAR Momentum system              policies and procedures. OFM agreed to implement\nused to track filing fees refund requests is appropri\xc2\xad       all\tthe\treport\xe2\x80\x99s\trecommendations.\tThis\treport\tis\t\nate; (4) filing fees backlogs and dormant accounts           available\ton\tthe\tOIG\xe2\x80\x99s\twebsite\tat:\thttp://www.sec-\nare properly administered and managed; and                   oig.gov/Reports/Audits\tInspections/2013/514.pdf.\n(5) filing fees refunds are disbursed by the U.S.\nDepartment of Treasury to the appropriate regis\xc2\xad             review of the sec\xe2\x80\x99s systems\ntrants as requested.                                         certification and accreditation process\n                                                             (report no. 515)\nThe SEC receives monies through the collection of            The OIG contracted the services of Networking\nsecurities registration, tender offer, merger, and other     Institute of Technology, Inc. (NIT) to conduct an\nfees (filing fees) from registrants. The SEC records         independent\tevaluation\tto\tassess\tOIT\xe2\x80\x99s\tcertifica\xc2\xad\nthe filing fees it collects as revenue. However, if regis\xc2\xad   tion and accreditation (C&A) process and deter\xc2\xad\ntrants submit payments to the SEC that are in excess         mine compliance with governing SEC policies and\nof the actual fee that is due for a filing, the SEC          procedures, industry best practices, and applicable\nrecords\tthe\texcess\tpayment\tin\tthe\tregistrant\xe2\x80\x99s\tdeposit\t      government laws, directives, regulations, and pub\xc2\xad\nliability account until it is earned by the SEC for          lications.\tThe\toverall\tobjective\twas\tto\tevaluate\tthe\t\nfuture registrant filings. The SEC returns amounts           SEC\xe2\x80\x99s\tsystems\tC&A\tprocess\tand\tdetermine\tif\tthere\t\nin the deposit liability account to the registrant if the    are areas that need strengthening.\naccount has not had any activity against it for three\nyears, or upon request from the registrant.                  NIT\tfound\tthat\tOIT\xe2\x80\x99s\tdocumentation\tto\tsup\xc2\xad\n                                                             port evaluating some systems security controls\nThe audit found that OFM needs to strengthen its             needs improvement. The evaluation further found\nReference Guide, Chapter 80.03, Filing Fee Rev\xc2\xad              that contractors did not provide enough evidence\nenue, August 2012, in the area of filing fees. During        within the security testing and evaluation (ST&E)\na system walk-through, the contractor determined             to demonstrate they had examined documenta\xc2\xad\nthat OFM does not have a process for confirming              tion, conducted interviews, and tested the security\nregistrant bank information. As a result, there is a         controls for the ST&E. Consequently, the ST&E\nrisk of unauthorized requests for refunds. In addi\xc2\xad          needed\tsupport\tto\tdemonstrate\tthe\tassessor\xe2\x80\x99s\tmethod\t\ntion, OFM needs to strengthen its policies and proce\xc2\xad        for examining, interviewing, and testing security\ndures related to clearing cancelled refund checks to         controls. The evaluation further found one ST&E\nensure a reasonable timeline is established. The lack        was not done for a contractor system and OIT did\nof a reasonable timeline could delay processing reg\xc2\xad         not require ST&Es for contractor systems.\n\n\n\n\n10   |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0cFurther, the evaluation found the designated approv\xc2\xad     ment\tunder\tIPERA,\ta\treview\tof\trelevant\tdata\tin\tthe\t\ning authority (DAA) did not review and verify            fiscal year 2012 Agency Financial Report (AFR),\nthe terms and conditions set forth in the system         and\ta\treview\tof\tthe\tSEC\xe2\x80\x99s\tIPERA\tRisk\tAssessment\t\nauthorization on an annual basis, as described in        Summary Report dated September 11, 2012. The\nthe authorization to operate letter. Also, the DAA       risk\tassessment\tdetermined\tthat\tnone\tof\tthe\tSEC\xe2\x80\x99s\t\nreviewed and verified the terms and conditions of        programs and activities were susceptible to signifi\xc2\xad\nSEC\xe2\x80\x99s\tsecurity\tcontrols\ton\ta\tthree-year\tcycle,\trather\t   cant improper payments at or above the threshold\nthan on the recommended continuous basis.                levels set by OMB. Furthermore, the AFR stated that\n                                                         the SEC determined that implementing a payment\nThe evaluation also found that personally identifi\xc2\xad      recapture program was not cost-effective; nonethe\xc2\xad\nable\tinformation\t(PII)\tis\tnot\tconsistently\tdocumented\t   less, the SEC strives to recover overpayments that\nin\tsome\tC&A\tpackages.\tMoreover,\tPII\trelated\tto\t          are identified through other sources. Based on our\nsome systems was inconsistent with the reviewed          review of information OIG determined that the\nC&A documentation.                                       SEC\twas\tin\tcompliance\twith\tIPERA\tfor\tfiscal\tyear\t\n                                                         2012.\tThis\treport\tis\tavailable\ton\tthe\tOIG\xe2\x80\x99s\twebsite\t\nAdditionally,\tNIT\tdetermined\tthat\tthe\tSEC\xe2\x80\x99s\tinfor\xc2\xad       at:\thttp://www.sec-oig.gov/Reports/Other/FY2012_\nmation system owners did not fully understand            IPERAComplianceReport_3.11.2013.pdf.\ntheir roles and responsibilities in the C&A process.\nFinally, the evaluation found that system owners did\nnot receive formal role-based IT security training       pendinG audits and evaluatiOns\nor guidance based on their roles and responsibilities\nas system owners and were approving C&A pack\xc2\xad            hiring practices for senior level\nages without having technical knowledge, which           positions at the sec\ncould potentially result in data not being properly      The\tobjectives\tof\tthe\taudit\tare\tto\texamine\twhether\t\nprotected.                                               OHR: (1) adheres to applicable federal statutes and\n                                                         regulations and has adequate policies and proce\xc2\xad\nThe OIG issued the final report on March 27,             dures covering senior level vacancies in the com\xc2\xad\n2013, and made seven recommendations intended            petitive service and excepted service, and for senior\nto\tstrengthen\tthe\tSEC\xe2\x80\x99s\tC&A\tprocess,\twhich\tOIT\t          officers;\t(2)\tensures\tthe\tSEC\xe2\x80\x99s\thiring\tand\tpromotion\t\nagreed to fully implement. This report is available      practices are carried out in a fair and consistent\non\tthe\tOIG\xe2\x80\x99s\twebsite\tat:\thttp://www.sec-oig.gov/\t        manner, and in accordance with applicable federal\nReports/AuditsInspections/2013/515.pdf.                  statutes, regulations, and OHR policy requirements;\n                                                         (3) commu-nicates its hiring authority, decisions, and\ninspector General\xe2\x80\x99s report of the                        changes to the appropriate personnel; (4) ensures\nu.s. securities and exchange commission\xe2\x80\x99s                hiring and promotion decisions are documented\nfiscal Year 2012 compliance with the                     in accordance with applicable federal statutes and\nimproper payments elimination and                        regulations; and (5) takes action in accordance with\nrecovery act                                             applicable federal statutes and regulations and OHR\nOn March 11, 2013, the OIG completed a review of         policies pertaining to improper hiring or promotions.\nthe\tSEC\xe2\x80\x99s\tcompliance\twith\tthe\tImproper\tPayments\t\nElimination\tand\tRecovery\tAct\tof\t2010\t(IPERA)\tfor\t        Fieldwork has been completed and we are drafting\nfiscal year 2012. The review consisted of interviews     the report.\nwith\tOFM\tofficials\tregarding\tthe\tSEC\xe2\x80\x99s\trisk\tassess\xc2\xad\n\n\n\n\n                                                         OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                  |   11\n\x0cthe sec rulemaking procedures and                     making.\tThe\tobjectives\tof\tthe\tevaluation\tare\tto\t\ncurrent Guidance on economic                          determine whether: (1) the economic analysis in\nanalysis in rulemakings                               newly proposed and final Commission rules com\xc2\xad\nThe\tOIG\tinitiated\tan\taudit\tto\tevaluate\tthe\tSEC\xe2\x80\x99s\t     plies with the principles and policies identified in\nimplementation of the Current Guidance on             the Current Guidance; (2) the SEC uses the Current\nEconomic Analysis in SEC Rulemakings (Current         Guidance for economic analyses of rulemakings of\nGuidance), issued on March 16, 2012. In addition,     the\tPCAOB,\tFINRA,\tand\tother\tSROs\tunder\tthe\t\nthe OIG engaged a contractor to perform an evalu\xc2\xad     SEC\xe2\x80\x99s\tjurisdiction;\t(3)\tthe\tCurrent\tGuidance\thas\t\nation\tof\tthe\tSEC\xe2\x80\x99s\tadherence\tto\tthe\tCurrent\tGuid\xc2\xad     been effectively implemented; (4) the SEC rulemak\xc2\xad\nance. Both the audit and evaluation were requested    ing offices use a consistent methodology for econom\xc2\xad\nby the Chairman of the House of Representatives       ic analyses; and (5) further improvements are needed\nCommittee on Oversight and Government Reform          for\tthe\tSEC\xe2\x80\x99s\trulemaking\tprocesses\tand\tprocedures.\n(House Oversight Committee) and the Chairman of\nits\tSubcommittee\ton\tTroubled\tAsset\tRelief\tProgram\t    Fieldwork\tfor\tboth\tprojects\thas\tbeen\tcompleted.\t\n(TARP),\tFinancial\tServices\tand\tBailouts\tof\tPublic\t    The\tOIG\twill\tissue\tseparate\treports\tfor\tPhase\t1\tand\t\nand\tPrivate\tPrograms\t(Subcommittee\ton\tTARP).\t         2 before the end of the next semiannual reporting\n                                                      period.\nOn December 21, 2012, the OIG sent letters to the\nChairman of the House Oversight Committee and         Government purchase card and\nthe\tChairman\tof\tthe\tSubcommittee\ton\tTARP\toutlin\xc2\xad      convenience check Operations and\ning\tthe\tOIG\xe2\x80\x99s\ttwo-part\t(Phase\t1\tand\t2)\tapproach\tto\t   practices at the sec\nrespond to their request.                             The\tOIG\tcommenced\tan\taudit\tof\tthe\tSEC\xe2\x80\x99s\tgovern\xc2\xad\n                                                      ment purchase card and convenience check opera\xc2\xad\nFor\tPhase\t1,\tthe\tOIG\tis\tconducting\tan\taudit\tthat\t     tions and practices as a result of requirements set\nexamines\tthe\tSEC\xe2\x80\x99s\trulemaking\tprocedures\tand\t         forth\tin\tthe\tGovernment\tCharge\tCard\tAbuse\tPreven\xc2\xad\nguidance.\tThe\taudit\tobjectives\tare\tto\tdetermine\t      tion\tAct\tof\t2012.\tThe\tobjectives\tof\tthe\taudit\tare\tto\t\nwhether the: (1) SEC has established and imple\xc2\xad       (1)\tdetermine\twhether\tthe\tSEC\xe2\x80\x99s\tpurchase\tcard\tand\t\nmented procedures for a methodical rulemaking         convenience check programs operate effectively and\nprocess in accordance with its Current Guidance;      are properly managed in compliance with govern\xc2\xad\n(2) SEC developed and uses procedures to improve      ing laws and regulations, and agency policy; and (2)\nthe rulemaking process such as hiring additional      assess\twhether\tthe\tSEC\xe2\x80\x99s\tpurchase\tcard\tand\tconve\xc2\xad\neconomists and implementing a systematic review       nience\tcheck\tprograms\xe2\x80\x99\tinternal\tcontrols\thave\tbeen\t\nprocess; and (3) Current Guidance incorporates the    adequately designed, appropriately implemented,\nOIG\xe2\x80\x99s\tand\tother\tcommenters\xe2\x80\x99\trecommendations\ton\t       and are operating effectively to detect misuse, fraud,\nSEC rulemaking.                                       waste, or abuse. We will also determine if there are\n                                                      best practices or areas needing improvement.\nFor\tPhase\t2,\tthe\tOIG\tengaged\ta\tcontractor\tto\t\nassist\tin\tcompleting\tan\tevaluation\tof\tthe\tSEC\xe2\x80\x99s\t      Fieldwork is ongoing and we expect to issue a final\nadherence to its Current Guidance in recent rule-     report by the next semiannual reporting period.\n\n\n\n\n12   |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0c                               inveStigationS\n\n\nOverview                                                action. Those actions include: initiating an investiga\xc2\xad\n\n\n\nT\n        he OIG Office of Investigations is responsi\xc2\xad    tion, referring the matter to management, and refer\xc2\xad\n        ble for OIG activities related to the preven\xc2\xad   ring the complaint to another agency. Upon com\xc2\xad\n        tion, detection, and investigation of fraud,    pletion of an investigation, the OIG issues a report\nwaste, and abuse in connection with SEC programs        of investigation that sets forth the evidence obtained\nand operations. The OIG investigates allegations        during the investigation. Investigative matters are\nof violations of statutes, rules, and regulations and   referred to SEC management and the U.S. Depart\xc2\xad\nother misconduct by SEC staff and contractors.          ment of Justice as appropriate. In some instances,\nThe misconduct investigated ranges from criminal        an OIG investigation may identify possible weak\xc2\xad\nwrongdoing and fraud to violations of SEC rules         nesses or internal control issues requiring corrective\nand policies and the Standards of Ethical Conduct       action by agency management. As a result, the OIG\nfor Employees of the Executive Branch. The Office       may issue a separate investigative memorandum to\nof Investigations conducts its independent investiga\xc2\xad   management for corrective action.\ntions in accordance with CIGIE Quality Standards\nfor Investigations and OIG Investigations policy.\n                                                        investiGatiOns and inquiries\nThe OIG receives complaints through the OIG             cOnducted\nComplaint Hotline (telephone and web-based),\ne-mail, mail, and facsimile. Complaints may be made     follow-up investigation relating to forensic\nanonymously by calling the Hotline, which is staffed    analysis of division of trading and Markets\nand answered 24 hours a day, 7 days a week, or by       laptops (report no. OiG-577)\ncompleting an online complaint form. In addition,       An OIG investigation completed during the pre\xc2\xad\nOIG receives allegations from SEC employees of          vious semiannual reporting period (OIG-557)\nwaste, abuse, misconduct, or mismanagement within       determined that staff working in a Division of Trad\xc2\xad\nthe agency through the OIG SEC Employee Sugges\xc2\xad         ing and Markets computer security lab had used\ntion\tProgram,\twhich\twas\testablished\tpursuant\tto\t        laptops that were unencrypted and did not have\nSection 966 of the Dodd-Frank Act.                      virus protection during SRO and clearing agency\n                                                        inspections in violation of the SEC information\nThe OIG reviews and analyzes all complaints             technology security policies.\nreceived to determine the appropriate course of\n\n\n\n\n                                                        OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                   |   13\n\x0cIn\tresponse\tto\tthe\tOIG\xe2\x80\x99s\tfindings,\tSEC\tmanage\xc2\xad          OHR. The contractor had received two anonymous\nment contracted with an outside forensics team          communications sent via U.S. mail to SEC head\xc2\xad\nto conduct testing and related work on selected         quarters, which the contractor found to be offen\xc2\xad\nlaptops that lab staff had used on inspections.         sive. The contractor had also received a series of\nThe outside firm subsequently reported that it had      e-mail messages from the SEC employee regarding a\nfound no evidence of active malware operating on        purported relationship between the contractor and\nthose laptops. However, the firm confirmed several      another SEC employee. During the investigation,\nvulnerabilities that posed a risk to SEC systems and    OHR referred to OIG additional allegations made\nthe data of regulated entities and offered no opinion   by the SEC employee of inappropriate touching by\nwith\trespect\tto\tthe\tlab\xe2\x80\x99s\tother\tlaptops\tand\tcomputer\t   the contractor.\ndevices. The firm also reported that one of the lap-\ntops examined was reformatted and a new operat\xc2\xad         The\tOIG\xe2\x80\x99s\tinvestigation\tfocused\ton\twhether\tthere\t\ning system was installed shortly before the forensic    was any evidence of stalking or harassment under\nexamination.                                            the applicable laws and whether there was any evi\xc2\xad\n                                                        dence of inappropriate touching. The OIG investi\xc2\xad\nTo ensure that appropriate, independent forensic        gation did not identify the sender of the anonymous\nanalysis was performed on the laptops that the firm     communications to the SEC contractor. The OIG\nretained by the SEC had not examined, the OIG           found insufficient evidence to warrant a criminal\narranged for the Federal Deposit Insurance Corpo\xc2\xad       referral based upon the e-mail communications\nration Office of Inspector General Economic Crimes      from the SEC employee. The OIG also did not find\nUnit (FDIC OIG ECU) to conduct forensic analy\xc2\xad          evidence that the purported inappropriate touching\nsis of certain laptops and to independently verify      was unreasonable or inappropriate. As a result, the\nthe\tresults\tof\tthe\tSEC\tOIT\xe2\x80\x99s\ttesting\tof\tadditional\t     OIG determined no further action was warranted\nlaptops. The forensic analysis performed by FDIC        and closed its investigation.\nOIG ECU and the SEC OIT found no evidence of\na breach or compromise on the additional laptops        alleged Misuse of federal Government\nexamined.                                               resources, failure to protect sensitive\n                                                        Government information, and circumven\xc2\xad\nFurther, the investigation found that a lab informa\xc2\xad    tion of information technology procedures\ntion technology specialist reformatted two laptop       (report no. OiG-580)\ndrives before the laptops were collected by OIT.        The OIG investigated a complaint alleging that an\nHowever, the OIG did not find evidence that the         SEC headquarters employee had failed to appropri\xc2\xad\ndrives were reformatted in an effort to interfere       ately secure sensitive financial industry data in viola\xc2\xad\nwith\tOIG\xe2\x80\x99s\tongoing\tinvestigation\tof\tthe\tcomputer\t       tion of SEC policy and had provided unauthorized\nsecurity lab. The OIG also did not find evidence        access to this data to other employees.\nthat lab management had directed, or was aware of,\nthe reformatting.                                       The\tcomplainant\talso\talleged\tthat\tthis\temployee\xe2\x80\x99s\t\n                                                        division was attempting to improperly manage cer\xc2\xad\nallegations of potential stalking,                      tain information technology-related services within\nharassment, and inappropriate touching                  the division without the involvement of OIT.\n(report no. OiG-579)\nThe OIG investigated allegations of potential stalk\xc2\xad    In addition, the OIG investigated additional\ning and harassment of an SEC contractor by an           information referred by OHR and OIT showing\nSEC employee that were referred to the OIG by           that\tthe\temployee\thad\taccessed\tPII\tfor\tcurrent\tand\t\n\n\n\n\n14   |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0cformer SEC employees, without the knowledge               The investigation found, however, that the telework\xc2\xad\nand\tapproval\tof\tthe\temployee\xe2\x80\x99s\tcurrent\tsupervi\xc2\xad           ing\temployee\xe2\x80\x99s\tofficial\tduty\tstation\twas\timproperly\t\nsors and without any apparent legitimate need for         set and, as a result, the employee was paid inaccu\xc2\xad\nthat information. Due to concerns about protecting        rately. The OIG further found that the SEC did not\nthe\tagency\xe2\x80\x99s\tinformation,\tmanagement\tplaced\tthe\t          have written policies and procedures for setting the\nemployee on administrative leave pending comple\xc2\xad          official duty station and locality pay for employees\ntion of the OIG investigation.                            on long-distance telework, and that the locality pay\n                                                          rates for employees on long-distance telework had\nThe\tOIG\xe2\x80\x99s\tinvestigation\tfound\tno\tevidence\tthat\tthe\t       not been determined in a consistent manner. On\nemployee\thad\taccessed\tPII\tdata\tfor\tany\timproper\t          March 25, 2013, the OIG issued an investigative\npurpose. To the contrary, evidence obtained through       memorandum to management (IM-13-0001) to\ne-mail searches and interviews of relevant personnel      address the deficiencies identified and, as a result,\nshowed that the employee had recently transferred         closed this investigation. This memorandum is\nto his current division from another headquarters         available\ton\tthe\tOIG\xe2\x80\x99s\twebsite\tat:\thttp://www.\noffice and, after his transfer, had continued to access   sec-oig.gov/Reports/OOI/2013\t/IM-13-001(Long-\nSEC\temployee\tPII\tdata\tto\tassist\tstaff\twith\twhom\the\t       Distance-Telework).pdf.\nhad\tbeen\tworking\tin\this\tprevious\toffice\ton\ta\tproject.\t\nMoreover, there was no evidence that the employee         allegation of improper promotion\ntransmitted\tsensitive\tdata,\tincluding\tPII,\toutside\tthe\t   (pi 11-38)\nSEC. The OIG did not substantiate the remaining           The OIG conducted an inquiry into an anony\xc2\xad\nallegations investigated.                                 mous complaint alleging that an SEC headquarters\n                                                          supervisor\xe2\x80\x99s\tpromotion\tof\ta\tcolleague\twas\tinappro\xc2\xad\nAs a consequence, the OIG closed its investigation        priate because it resulted from a personal friendship\nand management cleared the employee to return             between the supervisor and the colleague. The com\xc2\xad\nto work. We referred the issue of controls over           plaint also alleged that the promotion was improper\naccess to information when an employee transfers          because the employee who was promoted had previ\xc2\xad\nto another division or office to the OIG Office of        ously been removed from a supervisory position due\nAudits for consideration of possible future audit         to performance issues.\nwork.\n                                                          The inquiry found evidence that the supervisor and\nalleged violations of federal travel                      the colleague who was promoted were friends and\nregulation by employee participating in                   had vacationed together in the past. However, based\na long-distance telework arrangement                      upon our review of hiring documentation, e-mail\n(report no. OiG-584)                                      evidence and interview of the supervisor, we found\nThe OIG investigated an anonymous complaint               no evidence that the promotion violated federal\nalleging\tthat\tthe\tSEC\xe2\x80\x99s\tpayment\tof\tcosts\tfor\tan\t          personnel laws. Moreover, the OIG, after consulta\xc2\xad\nemployee teleworking from a remote location to            tion\twith\tthe\tSEC\xe2\x80\x99s\tEthics\tOffice,\tdetermined\tthat\t\ntravel to and from headquarters violated the Federal      the promotion did not violate any ethics regulations.\nTravel Regulation (FTR). The OIG found that the           Further, the OIG found that the allegation that the\nemployee\xe2\x80\x99s\ttelework\tarrangement\twas\tauthorized\t           employee had previously been removed from a\nand that payment of travel expenses for the               supervisory position was not substantiated. There\xc2\xad\nemployee\xe2\x80\x99s\tperiodic\ttrips\tto\theadquarters\tdid\tnot\t        fore, the OIG determined that no further action was\nviolate the FTR.                                          warranted.\n\n\n\n\n                                                          OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                 |   15\n\x0ctime and attendance violations in sec                     The OIG did not identify evidence to substantiate\nregional Office (pi 11-40)                                the allegation that the senior SEC official requested\nThe OIG performed an inquiry into an anonymous            that an unidentified former roommate, or anyone\ncomplaint alleging that an SEC regional office            else,\tbe\tadded\tto\tthe\tcontractor\xe2\x80\x99s\tteam.\tThe\tOIG\t\nsupervisor left the office for extended periods of        also did not identify evidence to substantiate the\ntime,\toften\tduring\tthe\tregional\toffice\xe2\x80\x99s\tcore\tbusiness\t   allegation that the senior SEC official improperly\nhours, without properly recording the time. The           influenced the technical evaluation panel to award\ninquiry found evidence that the supervisor often          the contract at issue to a particular firm. While the\nleft the office during the day, at times for extended     senior official participated as a non-voting mem\xc2\xad\nperiods\tand\tduring\tthe\tregional\toffice\xe2\x80\x99s\tcore\thours,\t     ber of the technical evaluation team and attended\nand on some occasions did not take leave for              presentations by three contracting firms, we did not\nabsences. The OIG further found that although the         find evidence that the senior official influenced the\nsupervisor had been granted schedule flexibility by       panel\xe2\x80\x99s\tdecision.\tAs\ta\tresult,\ton\tJanuary\t31,\t2013,\t\nhis superiors and often worked extra hours to make        the OIG issued a memorandum report to the agency\nup\tfor\tthe\ttimes\taway\tfrom\tthe\toffice,\tthe\tSEC\xe2\x80\x99s\t         for informational purposes and closed this matter.\nprocedures for earning and using credit hours were\nnot followed.                                             complaints of waste, Mismanagement,\n                                                          and conflicts of interest in a division of\nOn December 12, 2012, the OIG referred the                enforcement computer lab (pi 12-20)\nmatter to management for consideration of any             The OIG completed an inquiry into allegations\nappropriate follow-up or administrative action.           received through the OIG Employee Suggestion\nThereafter, management counseled the supervisor           Program\tHotline\tregarding\ta\tcomputer\tlab\twithin\t\nconcerning his time and attendance.                       the Division of Enforcement. The OIG focused its\n                                                          inquiry on allegations of possible conflicts of interest\nallegations of procurement violations                     on the part of a lab staff member and a contractor\n(pi 12-11)                                                used by the lab, as well as waste involving laptops.\nThe OIG completed its inquiry into allegations            We referred other allegations of mismanagement of\nof procurement violations in the award of certain         contracts and waste to the OIG Office of Audits for\nwork to a contractor. The inquiry arose from an           consideration of possible future audit work.\nanonymous complaint that alleged a senior SEC\nofficial requested that an unidentified former room\xc2\xad      The evidence obtained and reviewed during the\nmate\tbe\tadded\tto\ta\tcontractor\xe2\x80\x99s\tteam\tand\tinappro\xc2\xad         inquiry did not substantiate the conflict-of-interest\npriately influenced an agency acquisition panel to        allegations. Further, the OIG did not find evidence\naward the work to that contractor.                        that lab staff had access to an excessive number of\n                                                          laptops\tand\tconfirmed\tthat\tthe\tlab\xe2\x80\x99s\tlaptops\twere\t\n                                                          equipped with appropriate encryption. As a conse\xc2\xad\n                                                          quence, the OIG closed its inquiry.\n\n\n\n\n16   |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0c  RevieW of legiSlation\n    and RegulationS\n\n\nD\n        uring this semiannual reporting period, the OIG reviewed and\n        monitored the following legislation:\n\n\n\np.l. 112-194\n\nGovernment\tCharge\tCard\tAbuse\tPrevention\tAct\tof\t2012\n\t\n\np.l. 112-199\n\nWhistleblower\tProtection\tEnhancement\tAct\tof\t2012\n\t\n\np.l. 112-248\n\nImproper\tPayments\tElimination\tand\tRecovery\tImprovement\tAct\tof\t2012\n\n\np.l. 112-239\n\nThe\tNational\tDefense\tAuthorization\tAct\tfor\tFiscal\tYear\t2013\n\t\n\n\n\n\n                                       OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013   |   17\n\x0c                 management deCiSionS\n\n\n\n     status Of recOMMendatiOns with nO ManaGeMent decisiOns\n     Management decisions have been made on all audit reports issued before the beginning of\n     this reporting period.\n\n\n\n     revised ManaGeMent decisiOns\n     no management decisions were revised during the period.\n\n\n\n     aGreeMent with siGnificant ManaGeMent decisiOns\n     the OiG agrees with all significant management decisions regarding audit\n     recommendations.\n\n\n\n     instances where infOrMatiOn was refused\n     during this reporting period, there were no instances where information was refused.\n\n\n\n\n18    |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0c                                            taBleS\ntable 1. list of reports: audit and evaluations\n\n     report number                                   title                                  date issued\n\n         509          sec\xe2\x80\x99s controls Over sensitive/nonpublic information collected and\n                      exchanged with the financial stability Oversight council and\n                      Office of financial research                                           3/25/2013\n\n         511          evaluation of the sec\xe2\x80\x99s whistleblower program                          1/18/2013\n\n         512          2012 federal information security Management act\n                      executive summary                                                      3/29/2013\n\n         513          audit of sec\xe2\x80\x99s controls over support service, expert and\n                      consulting service contracts                                           3/29/2013\n\n         514          audit of the sec\xe2\x80\x99s filing fees program                                 3/29/2013\n\n         515          review of the sec\xe2\x80\x99s systems certification and accreditation process    3/27/2013\n\n         n/a          inspector General\xe2\x80\x99s report of the u.s. securities and exchange\n                      commission\xe2\x80\x99s fiscal Year 2012 compliance with the improper\n                      payments elimination and recovery act                                  3/11/2013\n\n\n\n\ntable 2. reports issued with costs questioned or funds put to better use\n(including disallowed costs)\n\n                                                                         no. of reports         value\n\na. reports issued prior to this period\n\n      for which no management decision had been made on any\n      issue at the commencement of the reporting period                          0               $0\n\n      for which some decisions had been made on some issues at the\n      commencement of the reporting period                                       0               $0\n\nb.    reports issued during this period                                          0               $0\n\n                                           total of categories a and b           0               $0\n\nc.    for which final management decisions were made during this period          0               $0\n\nd.    for which no management decisions were made during this period             0               $0\n\ne.    for which management decisions were made on some issues\n      during this period                                                         0               $0\n\n                                           total of categories c, d, and e       0               $0\n\n\n\n\n                                                             OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013         |    19\n\x0ctable 3. reports with recommendations on which corrective action has not been completed\nduring this semiannual reporting period, sec management provided the OiG with documentation to\nsupport their implementation of OiG recommendations. in response, the OiG closed 51 recommendations\nrelated to 13 Office of audits and Office of investigations reports. the following table lists recommenda\xc2\xad\ntions open 180 days or more.\n\n report number and title         issue date                   recommendation summary\n\n474 - assessment of the          3/29/2010      require that a bounty file (hard copy or electronic)\nsec\xe2\x80\x99s bounty program                            be created for each bounty application, which should\n                                                contain at a minimum the bounty application, any cor\xc2\xad\n                                                respondence with the whistleblower, documentation of\n                                                how the whistleblower\xe2\x80\x99s information was utilized, and\n                                                documentation regarding significant decisions made\n                                                with regard to the whistleblower\xe2\x80\x99s complaint.\n480 - review of the sec\xe2\x80\x99s        9/27/2010      update form 13f to a more structured format, such as\nsection 13(f) reporting                         extensible Markup language, to make it easier for users\nrequirements                                    and researchers to extract and analyze section 13(f)\n                                                data.\n482 - Oversight of and           6/29/2011      in plans for implementing section 965 of the dodd\xc2\xad\ncompliance with condi\xc2\xad                          frank wall street reform and consumer protection act,\ntions and representations                       develop procedures to coordinate examinations with\nrelated to exemptive                            those conducted by the Office of compliance inspec\xc2\xad\nOrders and no-action                            tions and examinations and, as appropriate, include\nletters                                         provisions for reviewing for compliance with the condi\xc2\xad\n                                                tions in exemptive orders and representations made in\n                                                no-action letters on a risk basis.\n482 - continued                                 in connection with monitoring efforts, include compli\xc2\xad\n                                                ance with the conditions and representations in signifi\xc2\xad\n                                                cant exemptive orders and/or no-action letters issued\n                                                to regulated entities as risk considerations.\n485 - assessment of the          9/29/2010      evaluate risk assessment processes for scoring risk\nsec\xe2\x80\x99s privacy program                           to ensure that the Office of information technology\n                                                adequately weighs all appropriate factors, including the\n                                                identification of risk levels by vendors.\n485 - continued                                 implement an agency-wide policy regarding shared\n                                                folder structure and access rights, ensuring that only\n                                                the employees involved with a particular case have\n                                                access to that data. if an employee backs up additional\n                                                information to the shared resources, only the employee\n                                                and his or her supervisor should have access.\n485 - continued                                 ensure personal storage tab (pst) files are saved to a\n                                                protected folder.\n489 - 2010 annual fisMa           3/3/2011      complete a logical access integration of the homeland\nexecutive summary report                        security presidential directive 12 card no later than\n                                                december 2011, as reported to the Office of Manage\xc2\xad\n                                                ment and budget on december 31, 2010.\n\n\n\n\n20   |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0ctable 3. reports with recommendations, continued\nrecommendations Open 180 days or more\n report number and title      issue date                recommendation summary\n\n491 - review of alternative   9/28/2011    in developing the new human capital directive, work\nwork arrangements, Over\xc2\xad                   with the national treasury employees union to deter\xc2\xad\ntime compensation, and                     mine whether additional alternative work schedules,\ncOOp-related activities at                 such as the gliding, variable day, variable week, three-\nthe sec                                    day workweek, and Maxiflex options described in the\n                                           Office of personnel Management handbook on alterna\xc2\xad\n                                           tive work schedules, should be adopted as options for\n                                           sec employees.\n491 - continued                            negotiate revisions to the language in the collective\n                                           bargaining agreement between the commission and\n                                           the national treasury employees union with respect to\n                                           the use of credit hours by employees working con\xc2\xad\n                                           forming schedules, ensuring that the revised language\n                                           conforms with applicable law.\n492 - audit of sec\xe2\x80\x99s          8/2/2011     develop and implement a mechanism to reward\nemployee recognition                       employees for superior or meritorious performance\nprogram and recruitment,                   within their job responsibilities through lump-sum per\xc2\xad\nrelocation, and retention                  formance awards.\nincentives\n497 - assessment of sec\xe2\x80\x99s     8/11/2011    ensure that security controls configurations that are\ncontinuous Monitoring                      applied in the production environment are identical\nprogram                                    with those applied in the testing environment.\n497 - continued                            develop and implement written procedures to ensure\n                                           consistency in the commission\xe2\x80\x99s production and testing\n                                           environments. these procedures should detail the soft\xc2\xad\n                                           ware and hardware components in both environments\n                                           and specify the actions required to maintain consistent\n                                           environments.\n497 - continued                            ensure that tapes are handled appropriately.\n500 - assessment of sec\xe2\x80\x99s     3/16/2012    identify capacity requirements for all servers, ensure\nsystem and network logs                    sufficient capacity is available for the storage of audit\n                                           records, configure auditing to reduce the likelihood that\n                                           capacity will be exceeded, and implement a mechanism\n                                           to alert and notify appropriate commission office/divi\xc2\xad\n                                           sions when log storage capacity is reached.\n\n500 - continued                            review and update all logging policies and procedures\n                                           consistent with the policy\xe2\x80\x99s review interval requirements\n                                           and retain evidence of its reviews and any updates to\n                                           the policy.\n501 - 2011 annual fisMa       2/2/2012     develop and implement a detailed plan to review and\nexecutive summary report                   update Oit security policies and procedures and to cre\xc2\xad\n                                           ate Oit security policies and procedures for areas that\n                                           lack formal policy and procedures.\n\n\n\n\n                                                  OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                   |   21\n\x0ctable 3. reports with recommendations, continued\nrecommendations Open 180 days or more\n report number and title     issue date                 recommendation summary\n\n501 - continued             2/2/2012      develop a comprehensive risk management strategy\n                                          in accordance with national institute of standards and\n                                          technology\xe2\x80\x99s (nist) Guide for Applying the Risk Man\xc2\xad\n                                          agement Framework to Federal Information Systems:\n                                          A Security Life Cycle Approach, which will ensure that\n                                          management of system-related security risks is con\xc2\xad\n                                          sistent with the sec\xe2\x80\x99s mission/business objectives and\n                                          overall risk strategy.\n501 - continued                           update risk management policy to include language\n                                          regarding developing a comprehensive governance\n                                          structure and ensure that management of system-\n                                          related security risks is consistent with the sec\xe2\x80\x99s mis\xc2\xad\n                                          sion/business objectives and overall risk strategy.\n501 - continued                           develop and implement a formal risk management\n                                          procedure that identifies an acceptable process for\n                                          evaluating system risk consistent with the commission\xe2\x80\x99s\n                                          mission or business objectives and overall risk strategy.\n501 - continued                           develop and implement formal policy that addresses\n                                          tailoring baseline security controls sets.\n501 - continued                           determine whether to perform the tailoring process at\n                                          the organization level for all information systems (either\n                                          as the required tailored baseline or as the starting point\n                                          for system-specific tailoring) at the individual informa\xc2\xad\n                                          tion system level, or by using a combination of organi\xc2\xad\n                                          zation-level and system-specific approaches.\n501 - continued                           tailor a baseline security controls set (with rationale) for\n                                          applicable systems in accordance with nist\xe2\x80\x99s Guide for\n                                          Applying the Risk Management Framework to Federal\n                                          Information Systems: A Security Life Cycle Approach,\n                                          and NIST\xe2\x80\x99s Recommended Security Controls for Federal\n                                          Information Systems and Organizations.\n501 - continued                           review and document the current standard baseline\n                                          configuration, including identification of approved\n                                          deviations and exceptions to the standard.\n501 - continued                           conduct compliance scans of information technology\n                                          devices, according to the organizationally defined fre\xc2\xad\n                                          quency in the policy and procedures, to ensure that all\n                                          devices are configured as required by Oit\xe2\x80\x99s configura\xc2\xad\n                                          tion management policy and procedures.\n501 - continued                           complete the implementation of the technical solu\xc2\xad\n                                          tion for linking multi-factor authentication to personal\n                                          identity verification cards for system authentication and\n                                          require use of the cards as a second authentication\n                                          factor by december 2012.\n\n\n\n\n22   |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0ctable 3. reports with recommendations, continued\nrecommendations Open 180 days or more\n report number and title     issue date                 recommendation summary\n\n502 - review of the sec\xe2\x80\x99s   4/23/2012     complete the review of the agency-wide continuity of\ncontinuity of Operations                  operations program (cOOp) to ensure the sec\xe2\x80\x99s cOOp\nprogram                                   is comprehensive, cohesive, and in compliance with\n                                          federal guidance.\n502 - continued                           revise and update the sec\xe2\x80\x99s continuity of operations\n                                          program policies and procedures to ensure they are\n                                          comprehensive, complete, and up-to-date.\n502 - continued                           update, revise, and finalize all cOOp documents,\n                                          including the overall headquarters cOOp plan, indi\xc2\xad\n                                          vidual division/office cOOp plans, regional office cOOp\n                                          supplements, disaster recovery plans, business continu\xc2\xad\n                                          ity plans and business impact analyses, and pandemic\n                                          plans supplements.\n502 - continued                           ensure that vital records and lines of succession are\n                                          properly identified, documented and readily available\n                                          during continuity events.\n502 - continued                           revise the sec system recovery time objectives to\n                                          specify more realistic timeframes, based on the ability\n                                          to transition to the alternate site, and then determine\n                                          acceptable recovery times.\n502 - continued                           add elements to contracts and service level agreements\n                                          for externally hosted systems to provide appropriate\n                                          methods by which the sec can obtain assurance that\n                                          appropriate disaster recovery plan testing is performed\n                                          on mission essential and federal information security\n                                          Management act reportable systems and to ensure the\n                                          systems are able to function during unscheduled events.\n502 - continued                           include elements of testing from an alternate site in the\n                                          regional office continuity of operations program, disas\xc2\xad\n                                          ter recovery, and business continuity plan testing on a\n                                          periodic basis to ensure the necessary capability and\n                                          functionality for regional office activities are in place.\n502 - continued                           categorize essential personnel according to necessary\n                                          functions, based on various realistic scenarios (such as\n                                          headquarters or Operations center locations becoming\n                                          inaccessible or not operational, including traffic condi\xc2\xad\n                                          tions that would affect the scenario).\n502 \xe2\x80\x93 continued                           specify when commission personnel are to telework\n                                          after an event and when they must go to the designat\xc2\xad\n                                          ed alternate locations instead of teleworking.\n\n\n\n\n                                                 OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                  |     23\n\x0ctable 3. reports with recommendations, continued\nrecommendations Open 180 days or more\n report number and title         issue date                 recommendation summary\n\n502 - continued                 4/23/2012     ensure that the designated headquarters alternate\n                                              worksites are ready for use and contain sufficient equip\xc2\xad\n                                              ment and technology resources. in addition, cOOp plan\n                                              documentation should be revised to reflect current\n                                              space availability and needs, taking into account the\n                                              potential for telework and remote access.\n502 - continued                               ensure that designated alternate worksite locations are\n                                              visited and tested periodically to ensure ready access\n                                              and use.\n502 - continued                               clearly define in the continuity of operations, disaster\n                                              recovery, and business continuity plan documentation\n                                              the alternate worksite or telework locations for both\n                                              essential and non-essential personnel.\n502 - continued                               ensure that continuity of operations, disaster recovery,\n                                              and business continuity plan training occur prior to\n                                              annual tests exercises or events as recommended by\n                                              nist special publication 800-84, Guide to test, train\xc2\xad\n                                              ing, and exercise programs for information technology\n                                              plans and capabilities, in order to ensure that individu\xc2\xad\n                                              als are prepared for their specific roles during a disaster\n                                              recovery event.\n502 - continued                               ensure that an appropriate and updated Memoranda\n                                              of agreement, Memoranda of understanding and\n                                              service-level agreements are executed to provide for\n                                              alternate work site locations, capabilities, and accom\xc2\xad\n                                              modations that may be necessary to ensure continuity\n                                              of operations.\n505 \xe2\x80\x93 sec\xe2\x80\x99s records           9/30/2012       develop a vital records program that includes processes\nManagement practices                          and procedures to establish and maintain the sec\xe2\x80\x99s vital\n                                              records in accordance with applicable federal regula\xc2\xad\n                                              tions and the national archives and records adminis\xc2\xad\n                                              tration\xe2\x80\x99s guidance on vital records management.\npi-09-05 \xe2\x80\x93 sec access         2/22/2010       ensure, on a commission-wide basis, that all regional\ncard readers in regional                      offices are capable of capturing and recording building\nOffices                                       entry and exit information of commission employees.\nrOi-505 \xe2\x80\x93 failure to timely   2/26/2010       ensure as part of changes to complaint handling system\ninvestigate allegations of                    that databases used to refer complaints are updated to\nfinancial fraud                               accurately reflect status of investigations and identity\n                                              of staff.\nrOi-544 \xe2\x80\x93 failure to          1/20/2011       take immediate measures to determine whether every\ncomplete background                           Oit employee and contractor has been properly cleared\ninvestigation clearance                       by a background investigation and issued an official\nbefore Giving access to                       sec badge.\nsec buildings and\ncomputer systems\n\n\n\n\n24   |\t\tOIG\tSEMIANNUAL\tREPORT\tTO\tCONGRESS\n\x0ctable 3. reports with recommendations, continued\nrecommendations Open 180 days or more\n report number and title         issue date                recommendation summary\n\nrOi-551 \xe2\x80\x93 allegations of       3/30/2011      employ technology that will enable the agency to main\xc2\xad\nunauthorized disclosures of                   tain records of phone calls made from and received by\nnonpublic information                         sec telephones.\nduring sec investigations\nrOi-557 \xe2\x80\x93 investigation into   8/30/2012      require arp lab staff to fill out appropriate training\nthe Misuse of resources                       forms, clarify policy on continued service agreements\nand violation of it security                  (csa) and consider requiring employees to sign csas\npolicies within the division                  for training costing more than $5,000.\nof trading and Markets\n\n\n\n\n                                                     OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                |   25\n\x0cTable 4. Summary of Investigative Activity\n\n     Cases                                                              Number\n     Cases Open as of 9/30/2012                                           6\n     Cases Opened during 10/1/2012 - 3/31/2013                            12\n     Cases Closed during 10/1/2012 - 3/31/2013                            5\n     Total Open Cases as of 3/31/2013                                     13\n     Referrals to Department of Justice for Prosecution                   4\n     Prosecutions                                                         0\n     Convictions                                                          0\n     Referrals to OIG Office of Audits                                    3\n\n\n     Preliminary Inquiries                                              Number\n     Inquiries Open as of 9/30/2012                                       41\n     Inquiries Opened during 10/1/2012 - 3/31/2013                        14\n     Inquiries Closed during 10/1/2012 - 3/31/2013                       29\n     Total Open Inquiries as of 3/31/2013                                26\n     Referrals to Agency for Administrative Action                         1\n\n\n     Disciplinary Actions (including referrals made in prior periods)   Number\n     Removals (Including Resignations and Retirements)                     1\n     Suspensions                                                          2\n     Warnings/Other Actions                                               2\n\n\n\n\nTable 5. Summary of Complaint Activity\n\n     Complaints Received During the Period                              Number\n     Complaints Pending Disposition at Beginning of Period                13\n     Hotline Complaints Received                                         184\n     Other Complaints Received                                           102\n     Total Complaints Received                                          286\n     Complaints on which a Decision was Made                             282\n     Complaints Awaiting Disposition at End of Period                     17\n\n\n     Dispositions of Complaints During the Period                       Number\n     Complaints Resulting in Investigations                               5\n     Complaints Resulting in Inquiries                                    14\n     Complaints Referred to OIG Office of Audits                          5\n     Complaints Referred to Other Agency Components                      120\n     Complaints Referred to Other Agencies                                2\n     Complaints Included in Ongoing Investigations or Inquiries           10\n     Response Sent/Additional Information Requested                      48\n     No Action Needed                                                    82\n\n\n\n\n26    |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0ctable 6. references to reporting requirements of the inspector General act\n\n  section    inspector General act reporting requirement                                      pages\n\n  4(a)(2)    review of legislation and regulations                                                   17\n\n  5(a)(1)    significant problems, abuses, and deficiencies                               7\xe2\x80\x9311; 13\xe2\x80\x9316\n\n  5(a)(2)    recommendations for corrective action                                           7\xe2\x80\x9311; 15\n\n  5(a)(3)    prior recommendations not Yet implemented                                       20\xe2\x80\x9325\n\n  5(a)(4)    Matters referred to prosecutive authorities                                             26\n\n  5(a)(5)    summary of instances where information was unreasonably\n             refused or not provided                                                                 18\n\n  5(a)(6)    list of OiG audit and evaluation reports issued during the period                       19\n\n  5(a)(7)    summary of significant reports issued during the period                      7\xe2\x80\x9311; 13\xe2\x80\x9316\n\n  5(a)(8)    statistical table on Management decisions with respect to questioned costs              19\n\n  5(a)(9)    statistical table on Management decisions on recommendations that\n             funds be put to better use                                                              19\n\n  5(a)(10)   summary of each audit, inspection or evaluation report Over\n             six Months Old for which no Management decision has been Made                           18\n\n  5(a)(11)   significant revised Management decisions                                                18\n\n  5(a)(12)   significant Management decisions with which the\n             inspector General disagreed                                                             18\n\n  5(a)(14)   appendix of peer reviews conducted by another OiG                                       29\n\n\n\n\n                                                     OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013              |    27\n\x0c\x0c               appendix a\n\n     peeR RevieWS of oig opeRationS\n\npeer review Of the sec OiG\xe2\x80\x99s                            peer review Of the sec OiG\xe2\x80\x99s\naudit OperatiOns                                        investiGative OperatiOns\nIn accordance with the CIGIE quality control and        During the semiannual reporting period, SEC OIG\nassurance\tstandards,\tan\tOIG\xe2\x80\x99s\taudit\tfunctions\tare\t      did not have an external peer review of its investiga\xc2\xad\nassessed by an external OIG audit team approxi\xc2\xad         tive\toperations.\tPeer\treviews\tof\tDesignated\tFederal\t\nmately every three years. The Legal Services Corpo\xc2\xad     Entity OIGs, such as SEC OIG, are conducted on a\nration (LSC) OIG conducted an assessment of the         voluntary basis. The most recent peer review of SEC\nOffice\tof\tAudit\xe2\x80\x99s\tsystem\tof\tquality\tcontrol\tfor\tthe\t    OIG\xe2\x80\x99s\tinvestigative\toperations\twas\tconducted\tby\tthe\t\nperiod ending March 31, 2012. The review focused        U.S. Equal Employment Opportunity Commission\non whether SEC OIG established and complied             (EEOC) OIG. The EEOC OIG issued its report on\nwith a system of quality control that is suitably       SEC\tOIG\xe2\x80\x99s\tinvestigative\toperations\tin\tJuly\t2007.\t\ndesigned to provide SEC OIG with a reasonable           This\treport\tconcluded\tthat\tSEC\tOIG\xe2\x80\x99s\tsystem\tof\t\nassurance of conforming with applicable profes\xc2\xad         quality for the investigative function conformed to\nsional standards.                                       the\tprofessional\tstandards\testablished\tby\tthe\tPresi\xc2\xad\n                                                        dent\xe2\x80\x99s\tCouncil\ton\tIntegrity\tand\tEfficiency\tand\tthe\t\nOn August 23, 2012, LSC OIG issued its report,          Executive Council on Integrity and Efficiency (now\nconcluding that SEC OIG complied with the system        CIGIE).\nof quality control and that it was suitably designed\nto provide SEC OIG with reasonable assurance            An investigative operations peer review of SEC OIG\nof performing and reporting in conformity with          is scheduled for the first quarter of fiscal year 2014.\napplicable government auditing standards in all\nmaterial respects. Federal audit organizations can\nreceive a rating of \xe2\x80\x9cpass,\xe2\x80\x9d \xe2\x80\x9cpass with deficiencies,\xe2\x80\x9d\nor \xe2\x80\x9cfail.\xe2\x80\x9d SEC OIG received a \xe2\x80\x9cpass\xe2\x80\x9d rating, and\nno recommendations were made. Further, there are\nno outstanding recommendations from previous\npeer reviews of our audit organization.\n\nThe peer review report is available on the SEC\nOIG\xe2\x80\x99s\twebsite\tat:\thttp://www.sec-oig.gov/Reports/\nOther/FinalPeerReviewReport-SEC.pdf.\n\n\n\n\n                                                        OCTOBER 1, 2012\xe2\x80\x93MARCH 31, 2013                    |   29\n\x0c              OIG cOntact InfOrmatIOn\n\n\n          Help ensure the integrity of SEC operations. Report to the OIG suspected fraud, waste\n          or abuse in SEC programs or operations as well as SEC staff or contractor misconduct.\n          Contact the OIG by:\n\n          phone\t           Hotline          877.442.0854\n                           Main Office      202.551.6061\n\n          web-based        www.sec-oig.gov/ooi/hotline.html\n          hotline\n\n\n          fax\t             202.772.9265\n\n          mail\t            Office of Inspector General\n                           U.S. Securities and Exchange Commission\n                           100 F Street, NE Washington, DC 20549\xe2\x80\x932977\n\n          email\t           oig@sec.gov\n\n\n\n          Information received is held in confidence upon request. While the OIG encourages com\xc2\xad\n          plainants to provide information on how they may be contacted for additional information,\n          anonymous complaints are also accepted.\n\n\n\n\n30   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0c\x0c                                                                         Semiannual\n                                                                         Report to Congress\n                                                                         October 1, 2012 to\n                                                                         March 31, 2013\n\n\n\n\n                                                             Office Of\n                                                             inspectOr General\n\n\n\n\n        Additional copies of this report may be obtained\n\n        by contacting the Office of Inspector General at\n\n        202.551.6061. This report is also available on the               U.S. SeCURITIeS And\n\n                                                                         exChAnGe COMMISSIOn\n        Inspector General\xe2\x80\x99s website at www.sec-oig.gov.\n\n\n\n\nOIG SAR cover_final.indd 1                                                                     5/2/13 3:51 PM\n\x0c'